| Code Value |
Definition |
| agent-disclosure | The incident was disclosed by the threat agent (e.g., public brag, private blackmail) |
| antivirus | The incident was discovered by an antivirus system |
| audit | The incident was discovered during an external security audit or scan |
| customer | The incident was reported by a customer or partner affected by the incident |
| external-fraud-detection | The incident was discovered through external fraud detection means (e.g., Common Point of Purchase reporting) |
| financial-audit | The incident was discovered during a financial audit and/or reconciliation process |
| hips | The incident was discovered from host-based IDS or file integrity monitoring |
| incident-response | The incident was discovered during the investigation of a separate incident |
| internal-fraud-detection | The incident was discovered through internal fraud detection means |
| it-audit | The incident was discovered by an internal IT audit or scan |
| law-enforcement | The incident was reported by law enforcement |
| log-review | The incident was discovered during a log review process or by a Security Information and Event Management (SIEM) tool |
| monitoring-service | The incident was reported by a managed security event monitoring service |
| nids | The incident was discovered by a network-based intrusion detection/prevention system |
| security-alarm | The incident was discovered by a physical security alarm |
| unknown | It is not known how this incident was discovered |
| unrelated-party | The incident was reported by an unrelated party |
| user | The incident was reported by a user |